users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: Drop SecurityContext from the spec?

From: Will Hopkins <will.hopkins_at_oracle.com>
Date: Sun, 19 Mar 2017 22:17:28 -0400

Let's discuss when we meet.

Until then, a question: what are people's thoughts on limiting the
implementation to Servlet and EJB containers for now. I'm wondering
whether it makes sense to wait on defining an SPI until we've had a
chance to specify roles and authorization in Security 1.x.

On 03/19/2017 08:08 PM, arjan tijms wrote:
>
>
> On Sun, Mar 19, 2017 at 11:17 PM, arjan tijms <arjan.tijms_at_gmail.com
> <mailto:arjan.tijms_at_gmail.com>> wrote:
>
> So with a small SPI interface (like e.g. the CDI RI (Weld) and the
> JSF RI (Mojarra) also have) this should be possible.
>
> I'll do a quick implementation of such an SPI in Soteria as a
> draft proposal, so we can base further discussion on that.
>
>
> I just committed this SPI and an example implementation of it here:
> https://github.com/javaee-security-spec/soteria/commit/51f8430e2310e5ed724b4684e0bef6f890ea2c81
>
>
> Specifically this small SPI interface (to be implemented by integrators):
>
> package org.glassfish.soteria.authorization.spi;
>
> import java.security.Principal;
>
> public interface CallerDetailsResolver {
> Principal getCallerPrincipal();
> boolean isCallerInRole(String role);
>
> }
>
> And a following example implementation:
>
> public class ReflectionAndJaccCallerDetailsResolver implements
> CallerDetailsResolver {
>
> @Override
> public Principal getCallerPrincipal() {
> Subject subject = JACC.getSubject();
> if (subject == null) {
> return null;
> }
> SubjectParser roleMapper = new SubjectParser(getContextID(),
> emptyList());
> return
> roleMapper.getCallerPrincipalFromPrincipals(subject.getPrincipals());
> }
>
> // isCallerInRole left to be done
> }
>
> In this example, the Subject is obtained from JACC, and then a helper
> class that has knowledge about several servers and how they store
> Principals in the Subject tries to find the caller principal in this
> subject.
>
> Again, this is a generic example and every vendor/integrator can
> implement this in whatever way, using or not using JACC.
>
> Kind regards,
> Arjan Tijms
> 

-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.